"I want my money back!" Limiting Online Password-Guessing Financially

Abstract

Online password guessing attacks are a serious threat to the integrity of online accounts. A common defense is rate-limiting, either by slowing down or blocking connections, or by requiring CAPTCHAs to be solved. Either of these options has serious drawbacks, facilitating denial of service attacks, being circumventable by proxies and CAPTCHA solving services, and offering bad usability to the legitimate user. Furthermore, guessing attacks are becoming increasingly easier, fueled by recent data breaches containing several hundred million credentials from famous websites.

In this work-in-progress report, we propose an opt-in deposit-based approach to rate-limiting that tackles online guessing attacks. By demanding a small deposit for each login attempt, which is immediately refunded after a successful sign in, online guessing attackers face high costs for repeated unsuccessful logins. We provide an initial analysis of suitable payment systems and reasonable deposit values for real-world implementations and discuss security and usability implications of the system.